Finished BCMSN Lab Portfolio

Well, I finished up the lab portfolio today!!!! Hooraaahhh
I felt that I finished up pretty strong writing some VACLS on one of my switches.  Basically permitting a host to still use its default gateway, but blocking it from reaching other hosts on the vlan.  Config is as follows:

dsl2(config)#ip access-list extended temp-host
dsl2(config-ext-nacl)#permit ip host 172.16.200.7 172.16.200.0 0.0.0.255 - id what you are identifying
dsl2(config-ext-nacl)#exit

dsl2(config)#vlan access-map block-temp 10 -create "access-map"
dsl2(config-access-map)#match ip address temp-host
dsl2(config-access-map)#action ?
  drop     Drop packets
  forward  Forward packets
dsl2(config-access-map)#action drop - drop packets from 172.16.200.7
dsl2(config-access-map)#vlan access-map block-temp 20
dsl2(config-access-map)#action forward -permit all others (there is still an implicit deny at the end)
dsl2(config-access-map)#exit

dsl2(config)#vlan filter block-temp vlan-list 200 - identify the access-map with a specific vlan
dsl2(config)#end
dsl2#sh vlan access-map - check your work
Vlan access-map "block-temp"  10
  Match clauses:
    ip  address: temp-host
  Action:
    drop
Vlan access-map "block-temp"  20
  Match clauses:
  Action:
    forward
I did test this with a host in vlan 200 with the ip address of 172.16.200.7.   It worked flawlessly.  The host could not communicate within the vlan, but could still get out to others and the internet.

So, now its on to a little review, some practice questions, reinforcement labbing, and then the exam pretty soon!  I will keep everyone posted (the few that may ever see this anyways!).

STP Root Guard

Well, using the same topology as before, I configured DLS 1 to be the root switch for vlans 1 and 100, while being the secondary for vlan 200.

dls1(config)#spanning-tree vlan 1,100 root primary
dls1(config)#spanning-tree vlan 200 root secondary

I essentially did the same thing, except opposite on DLS2, making it the root for 200, and the secondary root for 1 and 100.   This gives some consistency in the network, allowing the admin to really control what is happening with the elections.  This primarily gives each switch a value based on the current roots priority.

When you enter this command, the switch checks the switch priority of the root switches for each VLAN. Because of the extended system ID support, the switch sets its own priority for the specified VLAN to 24576 if this value will cause this switch to become the root for the specified VLAN.  If any root switch for the specified VLAN has a switch priority lower than 24576, the switch sets its own priority for the specified VLAN to 4096 less than the lowest switch priority. --> From Cisco.com

I then, just for fun, was playing with root guard.  This again is a feature to protect from rouge switches being placed on the network, and taking over root bridge responsibilities if they have a lower priority number.  Essentially if a bpdu is received on a port with this feature, it will be placed in the root inconsistent state.  Look what happened when I configured it on the port channel connecting DLS1 and DLS2:

dsl2(config-if)#spanning-tree guard root

dsl2(config-if)#
*Mar  1 00:28:31.159: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Port-channel1.
*Mar  1 00:28:31.163: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port Port-channel1 on VLAN0001.
dsl2(config-if)#
*Mar  1 00:28:40.831: %HSRP-5-STATECHANGE: Vlan100 Grp 1 state Standby -> Active
*Mar  1 00:28:40.879: %HSRP-5-STATECHANGE: Vlan1 Grp 1 state Standby -> Active

Whoa!  Blocked the port, and forced an HSRP statechange.  Now, the port stayed blocked, but DLS 1 took its active HSRP priority back over (Remember this was a redundant switching topology!)  It just took a little bit.  Around 1 minute. 

I think that I have talked about this before...but admins can also enable bpdu guard on ports with portfast enabled.  Because bpdu's are NOT expected to be heard on ports with portfast enabled, why not ensure that if bpdu's are received, that the switchport be shut down?  Do you really want switches plugged in where your not expecting them?  Not me!  Enable it globally on all portfast ports by typing:

dsl2(config)#spanning-tree portfast bpduguard default

dsl2(config)#end
dsl2#
*Mar  1 00:44:40.051: %SYS-5-CONFIG_I: Configured from console by console
dsl2#sh spanning summary
Switch is in pvst mode
Root bridge for: VLAN0200
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
EtherChannel misconfig guard is enabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Configured Pathcost method used is short

BCMSN Lab 8 - Switch Security

Saturday at last!  The kid is napping, the wife is working on her project, and I finally get some "daytime" studying hours.  Today I labbed up the switch security chapter in the BCMSN Lab Portfolio.  I started with a lab topology that looked like so:

 

Just a note:  I did not hook up ALS2.  I ran basically a triangle with dls1, dls2, and als1.  A dhcp server was set up off of fa0/6 on dls1.  This lab also ran these vlans and HSRP gateways:

• VLAN 1 - 172.16.1.1/24
• VLAN100 (staff)- 172.16.100.1/24 (USERS WHERE ON ALS1 FA0/3 -4)
• VLAN200 (students)- 172.16.200.1/24 (USERS WHERE ON ALS1 FA0/1 -2)

So the first thing I did was get the etherchanneled trunks up between the switches, and set the vlans and hsrp addresses.  I wont post that here because we have been over it already before.  The first thing again, was protecting from MAC flooding.  This is done through port-security commands.  Vlan 200 is unique because the mac addresses will change often because of student laptops, etc...However, the staff uses desktops and ip phones that never really change.  So their configurations will appear a bit differently.  Heres the configs on als1:

ALS1(config)#int range fa0/3 - 4
ALS1(config-if-range)#switchport mode access
ALS1(config-if-range)#switchport access vlan 200
ALS1(config-if-range)#switchport port-security
ALS1(config-if-range)#switch port-security max 1
ALS1(config-if-range)#end

ALS1#sh port-security interface fastEthernet 0/3
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address        : 0000.0000.0000
Security Violation Count   : 0

The staff ports were configured as follows:
ALS1(config)#int range fa0/1 - 2
ALS1(config-if-range)#switchport mode access
ALS1(config-if-range)#switch access vlan 100
ALS1(config-if-range)#switchport port-security
ALS1(config-if-range)#switchport port-security maximum 2
ALS1(config-if-range)#switchport port-security mac-address sticky ?
  H.H.H  48 bit mac address
 

ALS1(config-if-range)#switchport port-security mac-address sticky
ALS1(config-if-range)#end

ALS1#sh port-security int fastEthernet 0/1
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address        : 0000.0000.0000
Security Violation Count   : 0

So as you can see, the configured maximum mac addresses to be learned on the ports were different for the two access vlan ports.  The mac-address sticky command allows the first two mac addresses to be learned dynamically, and then added to the running config.  What what happens when I plug a switch into that port:
ALS1#sh run int fa0/1
Building configuration...

Current configuration : 312 bytes
!
interface FastEthernet0/1
 switchport access vlan 100
 switchport mode access
 switchport port-security
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 000d.65eb.5e88
 switchport port-security mac-address sticky 0014.692f.7f00
end

The first two addresses learned where added to the config.  Good shit!  Currently there is no aging time set on these ports, so those dynamically learned addresses are it! Notice in the show port-security interface commands, the aging time is 0, essentially disabled.  If we wanted to change this we would use the switchport port-security aging {static | time time | type {absolute | inactivity}} command.


The next lesson was DHCP spoofing attack mitigation.  This is to protect from rouge DHCP servers being put on your network.  They create was is a man in the middle attack scenario, which we should all try to avoid.  Here is the basic config:

ALS1(config)#ip dhcp snooping - enable it globally
ALS1(config)#ip dhcp snooping vlan 100 200 - enable it for vlans 100 and 200
ALS1(config)#int fa0/24
ALS1(config-if)#ip dhcp snooping trust - Trust all trunk ports!!
ALS1(config-if)#int range fa0/15 - 16
ALS1(config-if-range)#ip dhcp snooping trust - Trust all trunk ports!!
ALS1(config-if-range)#exit




The config was the same on all of the other switches.  However on DLS1 I also trusted fa0/6 which was the port that the DHCP server was connected too.  Here is a show command from ALS1:

ALS1#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
100-200
Insertion of option 82 is enabled
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/15             yes         unlimited - we COULD change this with the ip dhcp snooping limit rate [# in pps command]
FastEthernet0/16             yes         unlimited
FastEthernet0/24             yes         unlimited

Now the port is suppose to shut down if it sees any dhcp server activity, but the only results I got were that of the packets being blocked :) 

BCMSN Lab 7-1 Configuring Switches for IP Telephony Support

I actually found this to be more HSRP labbing than anything else!  The main point of this lab however was to set up a L3 switched network with AutoQOS enabled on a couple choice interfaces.  Basically you have 2 L3 switches running HSRP on 3 vlans:

• VLAN 100- Data Vlan
• VLAN 200- Voice Vlan
• VLAN 1 - Management Vlan

The HSRP config was simple.  I should be able to do this in my sleep now, including most of the advanced features of it and it's associated debugging commands.  These two L3 switches (my distribution layer) had 1 access layer switch connected to them (both with etherchannels configured).  There were suppose to be 2 access switches, but I ran out of crossover cables!  Anywho,  they had me set a VOIP phone off of port fa0/6 on the access switch.  My config was as follows:

int fa0/6

switchport access vlan 100

switchport voice vlan 200

auto qos voip cisco-phone

end

Everything there should be relatively self-explanatory except the fourth line.  Let me tell you whats going on with that auto qos voip cisco-phone command.  First know that the auto qos command is actually a macro that runs when you hit enter.  Multiple line are sent to the switchport.  Check it out:

2950#sh run int fa0/6
interface FastEthernet0/6
 switchport access vlan 100 - data vlan
 switchport voice vlan 200 -  voice vlan
 mls qos trust device cisco-phone - This sets the cos trust on a dependency that a cisco voip phone will be on the other end. 
 mls qos trust cos - this just says "trust the cos value sent to you from the device"..i.e. the cisco phone which sets a cos value of 5 by default
 auto qos voip cisco-phone - I entered this to generate everything else.
 spanning-tree portfast - cumon!  Good to know it executes this as well though!
end

    OK, so your probably like what the hell do those mean!  To be honest, I was too.  I went out and read about them, and will attempt to give an explanation here (both for your benefit and mine!).  I put the notes above next to the command outputs. 

 Not to mention the commands set in the global config
wrr-queue bandwidth 10 20 70 1 (sets the bandwidth values for queue 1,2,3,4 (10, 20, 70, 1) "The ratio of the weights is the ratio of frequency in which the WRR scheduler dequeues packets from each queue."
wrr-queue cos-map 1 0 1 (cos values of 0 and 1 are mapped to queue 1)
wrr-queue cos-map 2 2 4 (cos values of 2 and 4 are mapped to queue 2)
wrr-queue cos-map 3 3 6 7 (cos values of 3, 6 and 7 are mapped to queue 3)
wrr-queue cos-map 4 5 (cos values of 5 are mapped to queue 4)
mls qos map cos-dscp 0 8 16 26 32 46 48 56 (maps cos values to differentiated service code point values...this is the default mapping enabled by auto qos)

and a little show command:

2950#sh mls qos int fa0/6
FastEthernet0/6
trust state: not trusted - a phone is NOT connected
trust mode: trust cos
COS override: dis
default COS: 0 - default is 0, however the COS of 5 will be accepted from a voip phone
pass-through: none
trust device: cisco-phone


Most of the detailed QOS stuff is outside the scope of the BCMSN exams, but I thought I should touch on it now so that it isnt a total shock when I hit the topics down the road.  Verify your voice vlans and appliance trusts here:
2950#sh int fa0/6 switch
Name: Fa0/6
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 100 (100)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: 200 (200)
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none - I have not extended the trust boundary beyond the cisco phone using the switchport priority extend trust command.  Look after I execute it:
2950#sh int fa0/6 switch
Name: Fa0/6
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 100 (100)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: 200 (200)
\output omitted\
Appliance trust: trusted

The last thing I did was enable the distribution switches to trust my cos information being sent in the L2 frames using the commands:

(config)mls qos - enable it globally

(config-if)auto qos voip trust - trust the incoming qos values

GLBP Lab

Gotta remember...Cisco proprietary
Ran some debugs...saw that the hellos go to 224.0.0.102
*Mar  1 04:36:19.363: IP: s=172.16.10.100 (local), d=172.16.10.4 (FastEthernet0/0), len 100, sending
*Mar  1 04:36:20.075: IP: s=172.16.10.1 (FastEthernet0/0), d=224.0.0.102, len 88, rcvd 2
*Mar  1 04:36:20.995: IP: s=172.16.10.3 (local), d=224.0.0.102 (FastEthernet0/0), len 88, sending broad/multicast

Did a pretty standard config....3 routers connected to one switch.  Gave each fa0/0 interface a unique address on the 172.16.10.x/24 subnet, and applied the following config:
R1

(config-if)glbp 0 ip 172.16.10.100

(config-if)glbp 0 preempt

(config-if)glbp 0 priority 120

R2

(config-if)glbp 0 ip 172.16.10.100

(config-if)glbp 0 preempt

(config-if)glbp 0 priority 110

R3

(config-if)glbp 0 ip 172.16.10.100

(config-if)glbp 0 preempt

(received default priority of 100)

used show glbp [brief]
R3#sh glbp brief
Interface   Grp  Fwd Pri     State    Address         Active router   Standby router
Fa0/0            0    -      100  Listen  172.16.10.100  172.16.10.1  172.16.10.2
Fa0/0            0    1        -      Active   0007.b400.0001  local                    -
Fa0/0            0    2        -      Listen   0007.b400.0002  172.16.10.1         -
Fa0/0            0    3        -      Listen   0007.b400.0003  172.16.10.2        -

The - in the first line identifies the AVG, or active virtual gateway.  This is the device that distributes the created glbp mac-addresses to client within arp replies.  As you can see, there are 3 different AVF's represented by the 3 routers.  172.16.10.1 is the AVG, and 172.16.10.2 is standing by in case it fails.  You can also see which mac-address/ip address is associated with each AVF.  I also learned that the first AVF is actually going to be the first one to receive a client.

HSRP LAB

You know what I keep freakin forgetting? Dumbest shit in the world actually.....during my switch configs I ALWAYS forget the stinking ip default-gateway command!?! Thats like switching 101...I pick up pretty quickly after something fails to come back from the switch..but I mean damn. This is like the 10 time in 3 weeks I have done it. Need to embed that into my head...so I wrote it here :)

So I did an HSRP lab tonight. It was pretty fun. I see where the BCMSN lab portfolio is going.....type...repeat...type....repeat. Thats ok though, I figure that it will be etched into my brain via laser beam once completed. So, basic config:

I know that diagram is juvinile...but I dont have visio installed at home! So, better a paint visio than nothing at all. So quit your bitching and snickering.

Then a couple of nodes hooked up to each on a separate vlan. I had vlans 1, 10, 20, 30, 40 running on all of the switches. I distributed the vlans from switch 1 via vlan trunking protocol version 2. So....switches 1 and 2 are 3550 layer 3 switches. The book had me make sw1 the active hsrp router for 1, 10, and 20. SW2 was the standby for those, and the active router for....dadada, you guessed it 30 and 40. Basic config looked like this under the svi interfaces:

standby 1 ip 172.16.x.x
standby 1 preempt
standby 1 priority 150 (on the active switch, remember that 100 is the default)

So all went as planned. The correct switches became the active router for the proper vlans, the other became the standby. I manipulated the hello and hold timers on vlan 40, on the active router, and noticed that it actually passed these values on to the standby router...cool shit.

Umm, I then went off track and started doing my own thing. I manipulated spanning tree so that switch2 would become the root switch for its vlans (30,40). SW1 was the root switch by default for all vlans because of its low mac address. I used this command...I think:
spanning-tree vlan 30,40 root primary (thats off the top of my head so I think its accurate)

Then finally I tracked the port channel on SW1 on its active vlan interfaces (1, 10, 20).
(config)int range vlan 1, vlan 10, vlan20
(config-if-range) standby 1 track port-channel 1 51 (decrement to drop priority below 100 so that SW2 will take over as active router)

Something I noticed was that I had and active/active state for about 45 seconds where both switches were the active switch for all vlans. Finally SW2 took over the active role however. Need to look up some literature on this anomaly. Guess which vlan came out of active/active first?.....the one I lowered the hello and hold timers on! 40

STP Features

I felt a little weak on certain STP features, and the BCMSN lab manual unfortunately did not touch on any of them. In particular they were:

Root Guard: Protects ports from receiving superior bpdu's. I.E. Root Bridges can not be detected on these ports once it is enabled. If superior bpdu's are detected the port will be placed into a root-inconsistent state. This can be verified with the sh span inconsistent-ports command.

BPDU Guard: Use this if you want not bpdu's to be accepted on a port. If bpdu's are found, the port will be placed into err-disabled. Use it where portfast is enabled!

LoopGuard: If you have a port in blocking, root, or maybe any other non-designated role that experiences a sudden loss of bpdu's, you could be in trouble. Once that bpdu max-age timer expires the switch will role that blocking or whatever port into the forwarding stage because bpdu's are suddenly gone. This prevents a switching loop. Loopguard prevents this...check it out. I had two switches connected, and used bpdu filtering on the port connected to this switch...thus cutting off the bpdu's..heres what happened:

*Mar 1 00:27:04.387: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port Fast Ethernet0/2 on VLAN0001.
3550-48#sh spanning

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 000d.65eb.5e80
Cost 19
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0014.692f.7f00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1 Root FWD 19 128.1 P2p
Fa0/2 Desg BKN*19 128.2 P2p *LOOP_Inc
Fa0/16 Altn BLK 19 128.16 P2p

3550-48#sh spanning-tree inconsistentports

Name Interface Inconsistency
-------------------- ------------------------ ------------------
VLAN0001 FastEthernet0/2 Loop Inconsistent

Number of inconsistent ports (segments) in the system : 1

Dont forget about udld, and bpdu filtering (which essentially tells the switch to not accept or send bpdu's on certain interfaces).

MST

Set up MST out of the BCMSN lab portfolio tonight.... I did it off of 3 switches though, and they had me run through what I thought was a pretty basic configuration of MST. 3 switches, all interconnected in a triangle fashion. All had vlans 1, 10, 20, 30, 40, 50, 60, 70, 80, 90, 100. With per-vlan stp you basically had an instance running for each, 11 in total. All instances were computing the same stp topology, over the same physical connections. A bit redundant ehe?@?
So MST lets you "group" these vlans. Heres what I did with some output omitted of course:

POE(config)#spanning-tree mode ?
mst Multiple spanning tree mode
pvst Per-Vlan spanning tree mode
rapid-pvst Per-Vlan rapid spanning tree mode

POE(config)#spanning-tree mode mst
POE(config)#spanning-tree mst ?
WORD MST instance range, example: 0-3,5,7-9
configuration Enter MST configuration submode
forward-time Set the forward delay for the spanning tree
hello-time Set the hello interval for the spanning tree
max-age Set the max age interval for the spanning tree
max-hops Set the max hops value for the spanning tree

POE(config)#spanning-tree mst config
POE(config)#spanning-tree mst configuration ?


POE(config)#spanning-tree mst configuration
POE(config-mst)#?
abort Exit region configuration mode, aborting changes
exit Exit region configuration mode, applying changes
instance Map vlans to an MST instance
name Set configuration name
no Negate a command or set its defaults
private-vlan Set private-vlan synchronization
revision Set configuration revision number
show Display region configurations

POE(config-mst)#sh current
Current MST configuration
Name []
Revision 0 Instances configured 1

Instance Vlans mapped
-------- ---------------------------------------------------------------------
0 1-4094
-------------------------------------------------------------------------------
POE(config-mst)#sh pending
Pending MST configuration
Name []
Revision 0 Instances configured 1

Instance Vlans mapped
-------- ---------------------------------------------------------------------
0 1-4094
-------------------------------------------------------------------------------

POE(config-mst)#name ?
WORD Configuration name

POE(config-mst)#name cisco ?


POE(config-mst)#name cisco
POE(config-mst)#revision ?
<0-65535> Configuration revision number

POE(config-mst)#revision 1

POE(config-mst)#instance 1 ?
vlan Range of vlans to add to the instance mapping

POE(config-mst)#instance 1 vlan ?
LINE vlan range ex: 1-65, 72, 300 -200

POE(config-mst)#instance 1 vlan 20-50
POE(config-mst)#instance 2 vlan 80, 100
POE(config-mst)#sh pending
Pending MST configuration
Name [cisco]
Revision 1 Instances configured 3

Instance Vlans mapped
-------- ---------------------------------------------------------------------
0 1-19,51-79,81-99,101-4094
1 20-50
2 80,100
-------------------------------------------------------------------------------
POE(config-mst)#exit

POE#sh spanning-tree mst config
Name [cisco]
Revision 1 Instances configured 3

Instance Vlans mapped
-------- ---------------------------------------------------------------------
0 1-19,51-79,81-99,101-4094
1 20-50
2 80,100
-------------------------------------------------------------------------------

Now when I run a simple show spanning-tree I will basically see 3 instances (i.e. 3 stp calculations) versus the 11 we saw earlier. Brilliant! I also did a bit of unplugging as I went with some different debugs running. The best command I hit was debug spanning mst roles. Great output.

EtherChannel Labs in BCMSN Lab Portfolio

Ran through the labs in the BCMSN portfolio tonight concerning etherchannels. Fun little lab really. Simple, yet to the point. Went over the various modes:
channel-group [#} mode [active (LaCP), auto (PaGP), desirable (PaGP), passive (LaCP), on]

Actually did not have enough crossovers to do the entire lab with, but made my own little scenario up and used bits and pieces from theirs. Did some layer 2 etherchannels, along with a L3 channel using ip addresses on which to verify connectivity. Used the show commands:

show ether summary
sh ether [#]
sho ether load-balance

And configured different load balancing mechanims with the command
(config)port-channel load-balance [type]

Lastly, learned a cool interface command that allows you to statically define the protocol to use (either LaCP, or PaCP)


(config-if)channel-protocol [protocol]

Private Vlans

I might of hit this before...but I read about private vlans, vacl's, switch spoofing, and vlan hopping again tonight in the exam study guide. I really feel like I am taking this material in very well. I work within a fully switched enviornment every day, and have had some good exposure to it throughout my career so this stuff is sitting pretty well in my mind, and even answering some questions I had coming into the exam topics.

Private VLAN's
Primary vlan must be associated with secondary vlans through an association statement. Primary vlans can communicate with secondary vlans. Secondary vlans can communicate with the primary vlan, but not with other secondary vlans unless they are in the same "community." Secondary vlans can be one of these two types:

1. Isolated- isolated from everything except the primary vlan. CAN NOT communicate with other secondary or isolated secondary vlans.
2. Community- secondary community hosts can communicate with each other, but not with any other secondary vlans. They can also communicate with the primary vlan, or normal vlan.

Switchports must also be configured for private vlan access. They can be in one of two modes:

1. Promiscous- use this for routers/firewalls/gateways. Ports in promiscous mode bypass the rules or private vlans and can communicate with any secondary or primary vlan in any type (isolated or community).
2. Host- connected to a regular host...must abide by the private vlan rulesets.

Configuration example:
(config)vlan [vlan-id]
(config-vlan)private vlan [isolated, primary, community]
(config-vlan)private-vlan association [secondary vlan list] [add|remove] - use this on the primary vlan to associate the secondary vlans ***

Interface config
(config-if)switchport mode private-vlan [host | promiscous] - set the mode
(config-if)switchport private-vlan host-association [primary vlan id] [secondary vlan id] - if in host mode
(config-if)switchport private-vlan mapping [primary vlan id][secondary vlan list] [add|remove] - this is for promiscous mode and used to apply mappings to SVI's as well.

look familiar :) It basically replace these....:

(config-if)switchport mode access
(config-if)switchport access vlan [vlan-id]

All Things Voice...Almost

This is going to be more config stuff than anything. But I read some voice/qos/cos stuff, so I need to offload at least a bit into this blog tonight. My notes f#$#!@ suck though, so this might be a bit more of a mess than some of my other posts. But here we go anyways.

Best effort deliver- No real quality of service (*QOS) here. The network devices just deliver packets or frames as they are recieved.

Integrated Services Model- This model essentially clears a path through the network for priority data to flow through using the resource reservation protocol (RSVP). The application requesting QOS via RSVP send the protocol its request. RSVP in turn goes out to the network devices along the path to see if they can support the request. If granted, the path is cleared for the priority traffic. Imagine a fire truck going through the city....the cops would have all the intersections cleared for it in advance of its arrival.

Differentiated Services Model (DiffServ)- QOS is handled on a per-hop basis rather than a per-flow basis. As the traffic approaches each network device, QOS decision will be made based on the information contained within the packet header. This frees up that end-to-end traffic tunnel that IntServ created.

TOS or type of service includes:

• IP precendence value - 3 bits
• TOS value - 4 bits
• A Zero - 1 bit

Differentiated Services Code Point (DSCP)

• Class Selector- 3 bits

Class 7 Network Control (STP, routing protocols, etc...)
Class 6 Internetwork Control
Class 5 Expedited forwarding (voice and other critical data)
Class 1 Assured forwarding (not left to best effort)
Class 0 Best effort delivery

• Drop precedence- 3 bits

High - 3
Med - 2
Low - 1

Can be displayed as follows: AF (class)(drop prec); AF23 = Assured Forwarding class 2, high

Basic config:
(config)mls qos (enable globally on device)
(config-if)mls qos trust [cos] - trust cos value unconditionally on port
(config-if)mls qos trust device cisco-phone
(config-if)switchport priority extend trust (extends trust boundary...like beyond cisco phone to pc)

show mls qos [int]

Wireless

Well, we should all know a bit about this stuff already, but here's the just of it from the CBT videos. I will probably, like most of my other posts, have to post another wireless section as I read about it in the BCMSN Official Exam Certification Guide.
-WLAN (wireless local area network)...no shit sherlock, cummon
-Basic Service Set- one access point with associated access stations comprises a basic service set.
-Ext. Service Set- one or more BSS's that appear as one logical BSS to the link layer of connected devices
BSSESS
Image Source: www.extremetech.com/article2/0,2845,1073,00.asp

The wireless "cell" is essentially the area of coverage that the AP provides, and host must form an association with an access point by matching both SSID and authentication measures.

There are essentially 2 types of wireless scanning:

1. Active- Where the client sends probe request and waits for responses from AP's.
2. Passive- hmmm, where the client passively listens for beacon frames pushed by AP's...

Security

1. Open System- essentially a wide open network...no security measures
2. Shared key- WEP, WPA(2)
3. MAC authentication- not mentioned but important to remember, though it is easily spoofed.

RFC 3748 speaks on EAP, or extensible authentication protocol. Cisco proprietary cousin is LEAP. It provides two way authentication between the AP and client station, and users a radius server to do so. It uses dynamic keys propageted for each unique session.

The WIFI alliance created WPA and WPA2.

802.11a- 25MBPS- 54; 100ft indoors, 5 Ghz
802.11b- 6.5MBPS- 11; 100ft indoors, 2.4 Ghz
802.11g- 25MBPS- 54; 100ft indoors, 2.4 Ghz
802.11n- 200MBPS - 540; 160ft indoors, 2.4 or 5 Ghz

IrDA- Infrared Data Association
version 1. = 1 meter @ 115Kbps
version 1.1 = 1 meter @ 4Mbps

Antennas

1. Yagi-uda - uni-directions or "directional" antennas or peer 2 peer
2. Omni- or all directions or peer to multi-peer

Wireless is half-duplex and uses carrier sense multiple access with collision avoidance

Aironet systems tray utilities color definitions:
red - low signal
yellow - fair signal
green - very good signal
lt gray - not EAP authenticated; connection present though
dark gray - no connection
white - adapter is disabled

VRRP, GLBP, Server load balancing

Couple of topics in this one!

Virtual Router Redundancy Protocol- RFC 2338
This is an OPEN standard...meaning not Cisco Proprietary. You basically have a master and backup router(s) with this config. You still create a "virtual router" but you actually use a physical interface of one of your routers as the virtual router IP address. The preempt option is enabled by default, and the protocol multicasts to the other routers to multicast IP address 224.0.0.18. The MAC address for VRRP's virtual router is 0000.5e00.01XX (where xx is the group number in hexidecimal). The newer version does support object tracking. Learn more at:
http://www.cisco.com/en/US/docs/ios/12_0st/12_0st18/feature/guide/st_vrrpx.html

Gateway Load Balancing Protocol
This IS a Cisco proprietary protocol. You still have your configuration in a "group," and there is still a virtual router. You end up with 1 virtual IP, but there are multiple mac addresses for the virtual router. This is how you end up with your load balancing. Normally the active router, or active virtual gateway will respond to host queries in a round robin fashion, giving them router 1 mac, router 2 mac, and so on. This way when hosts send to the gateway they are using the virtual ip, and one of many macs. You can fine tune this mac address giving...so to say. It can be in one of 3 modes...round robin, host dependent load balancing, or weighted mac assignement load balancing (i.e. mac 1 (50), mac2 (10), mac 3 (40)).
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_glbp.html

Server Load Balancing
Basically you can take a group of server and configure the router to display them as one entity. More to come...
http://www.ciscopress.com/articles/article.asp?p=1355228

HSRP Interface Tracking

I talked briefly about how you can track interfaces with HSRP during my last posting. Consider the following diagram:Imagine PE 1 and 2 are in a standard HSRP configuration. PE1 is the active router, and the main route out of the network is out of Ethernet2 to the central router. However, if this interface were to go down for any reason, we want the priority of PE1 to go below that of PE2, so that PE2 takes over and can route to that central router. Interface tracking is a prime solution for this dilema. The config would be as follows:
PE1
(config-if)standby [group #] track ethernet2 [decrement value] - if PE1 is 120, and PE2 is the default value of 100, than we will need the decrement to be greater than 20. The default is 10.

PE2
(config-if)standby [group #] preempt - most people forget this command, but it must be entered for PE2 to take over when PE1's priority drops below its own.

Verify the decrement and tracking with the show standby command.

To debug HSRP use the debug standby command (go figure...standby again)

HSRP: RFC 2281

Studied on HSRP, or hot standby router protocol. It is defined by RFC 2281. It is a cisco proprietary protocol that allows 2 routers or L3 switches some redundancy if one were to fail. It does this by creating a virtual router that has both a virtual mac, and ip address. The two participating routers will be in one of two modes:

Active or standby

This protocol was not defined really for "load balancing"; but more for redundancy. However load balancing may be achieved by assigning two standby groups to an interface, and assigning two seperate virtual ip's. The downside...you have to manually configure your hosts to use either of the gateways in order to load balance (there are other protocols for this!!)

The states for HSRP are as follows:

1. disabled- the interface is not running hsrp
2. initial (init)- the interface but has just came up.
3. learn- the interface is configured, but has not heard from active router
4. listen- the router knows is virtual ip, but does not know who is primary or standby
5. speak- the routers are sending hello's and holding the election
6. standby- the router is a candidate to become the active router and is sending hellos
7. active- the router is forwading packets sent to the virtual ip address, and is sending hello's

The virtual ip address is configured with hsrp, the mac however is derived automatically from the following address:

• 0000.0c07.acxx (where xx is the group number in hexidecimal)

It should be noted that you CAN track interfaces with HSRP. If a tracked interface goes down it can dynamically adjust the priority so that the standby router takes over (if programmed properly with the correct priorities and preempt commands).

Commands to configure and show:
(config-if)standby [group #] ip [ip address] -this is the same on both and is the virtual ip
(config-if)standby [group #] priority [0-255] -the highest priority wins active role
(config-if)standby [group #] preempt -forces router to take active role if priority is higher
(config-if)standby [group #] mac-address [xxxx.xxxx.xxxx]
(config-if)standby [group #] authentication [options] - Must match on both routers

show standby

Etherchannel hashing

Good material today in the BCMSN book...all about hashing. More to follow

Multi-layer switching

Started on MLS tonight. Actually had a couple of drinks while studying so I am feeling pretty well right now... CEF or cisco express forwarding is the predominately used method for layer 3 switches nowadays. CEF contains a fowarding information base (aka an FIB) for processing L3 information, and an adjacency table that is used for L2 information. CEF consists of 2 planes, which I actually need to do a bit more reading on:
Control Plane: builds the arp and ip routing tables
Data Plane: places data into the L3 switches memory, and encapuslates data before forwading.

Fastest switching to slowest...

1. Distributed CEF (done by multiple processors)
2. CEF
3. Fast Switching
4. Process Switching

**IPX, SNA, LAT, and AppleTalk are not supported by CEF**

Basic L3 commands:
(config) ip routing (enable ip routing on the damn switch! its not enabled by default)
(config-int) no switchport (enable an L3 switchport so you can configure an ip address on it)
(config)interface vlan [#] (create and SVI, or switched virtual interface)

Create a bridge group for non supported protocols
(config)bridge-group [#]
(config)int vlan [#]
(config-int)bridge-group [#]

DHCP snooping

DHCP Snooping
This is where a "rouge" dhcp server is introduced into a network. Generally a host will accept the first ip address DHCPoffer packet that it receives. So if the rouge server sends it ip information with a valid address, but a gateway of the rouge server, or even dns address of the rouge server; it will be able to gather all traffic from the succeptable hosts. Switches have a means of protecting from this called DHCP snooping:
**Trusted- interface is trusted for dhcp traffic
**Untrusted- interface is not trusted, unauthorized DHCP traffic will be dropped, and port will enter err-disabled mode (all ports are placed into this by default when dhcp snooping is enabled)

(config)ip dhcp snooping
(config) ip dhcp snooping [vlan] [#]
(interface) ip dhcp snooping trust (trusts the interface)
(config) ip dhcp snooping information option (need to look this up...something with option 82)

Show ip dhcp snooping

VLAN ACL's or VACL's

So....never knew about these little guys! Turns out that you cannot filter traffic from say a host on VLAN 1 to other hosts on VLAN 1 with a regular ACL. Because there is no "interface", you cannot apply an inbound or outbound ACL to permit or deny traffic. That is where VACL's come into play. They basically let you identify traffic, and create a filter that will permit or deny the traffic within the same VLAN. Here is the basic config:

**ALL IN GLOBAL CONFIGURATION MODE**
ip access-list extended 101 permit ip 192.168.20.0 0.0.0.3 192.168.20.0 0.0.0.255

vlan access-map [name] [sequence number]
match ip address 101
action [drop, forward]
vlan access-map [name] [sequence number]
action forward (this is like an explicit forward for VACL's)

**1 VACL per vlan
**reads from top to bottom just like a regular ACL
**They have an implicit deny...so add that final action forward if you want to forward additional traffic

SPAN

Switched port analyzer. Quite a cool little feature here. Lets you configure what is basically traffic mirroring on select ports for transmission to a destination port (usually connected to some sort of network or traffic monitoring device).
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml


Command Reference:
1 switch
(config)monitor session [#] source [interface, remote, vlan]
(config)monitor session [#] destination [interface, remote, vlan]

RSPAN-remote switch
Switch 1
(config)vlan [#]
(config-vlan)remote span
(config)monitor session [#] source [interface, remote, vlan]
(config)monitor session [#] destination remote [vlan #]

Switch 2
(config)vlan [#]
(config-vlan)remote span
(config)monitor session [#] source remote vlan [#]
(config)monitor session [#] destination interface [#]

Show commands:
show monitor [session] [#]

Port Security

Reviewed some port security measures last night. The basics are as follows:

**SWITCHPORT MUST BE IN ACCESS MODE TO CONFIGURE PORT SECURITY**
(config-int)switchport port-security
(config-int)switchport port-security maximum [#] - Basically how many macs will it accept on the interface?
(config-int)switchport port-security mac-address [options] - dynamic, static, sticky, etc...
(config-int)switchport port-security violation [protect, restrict, shutdown]

• shutdown- shuts down the port, and places it in err-disabled state :) (its the default)
• restrict - drops violating frames, notifies syslog, etc...
• protect- drops all frames (does not go into err-disabled state)

You can also pre-set your switch to auto-recover from ports in err-disabled state for a plethera of reasons. Heres the basics:
(config)errdisabled recovery [interval in seconds, cause]

And finally the show command:
show port-security [port]

AAA

Tonight was a little AAA action (authorization, authentication, accounting). Luckily I set up a TACACS+ server a couple of weeks back, and did the configs on our switches at work as well. This basically gives an extra layer of security in that you are authenticating users to a remote database, and you can granularly assign them permissions on the devices (if needed). One of the best aspecs is that you can actually hold people accountable for their actions! Yep, you can actually tell your devices to log every command a user runs. Radius is a little more limited in its authorization actions, but is still a pretty good measure of remote authentication for your cisco devices.

Here are some basic commands:
(config)aaa new-modes (enable the new aaa model on your device)
(config)radius-server host [ip address] [extra options]
(config)tacacs-server host [ip address] [extra options]
...you probably are going to have some "keys" to program in as well (check ios help)
(config)aaa authentication login default group tacacs+ radius (this will tell your device to authenticate incoming users to the default list...using first the tacacs+ server, then the radius server if needed)
(config-line)login authentication default (points your "line" items to the default list for authentication)

I wont go into it here, but you then go into a bit more depth with authorization and accounting with the commands:
(config) aaa accounting [options]
(config) aaa authorization [options]

EtherChannels

Finally a topic I was looking forward to a little bit!
Etherchanneling is the "logical" bundling of 2-8 physical connections between switches. Also known as link aggregation. Etherchanneling provides greater throughput (i.e. bandwidth), and bypasses some of STP shortcomings such as convergence time (STP treats etherchannels as 1 connection).
There are 2 main protocols within Etherchanneling

• LAgP (link aggregation protocol

Active mode- switch will initiate bundling of channels with remote switch
Passive mode- switch will wait for remote unit to initiate bundling
on (no negotiation)

• PAgP (port aggregation protocol

Dynamic (desirable)- switch will initiate bundling of channels with remote switch
auto- switch will wait for remote unit to initiate bundling
on (no negotiation)

To properly channel the port group # must match on both switches (i.e. the port or channel group number. Also, the remote device id must also be the same (i.e. it can only be switch to switch, not 1 switch to multiple switches).

Commands I saw:
(interface)channel-group [#] mode [auto, desirable, active, passive, on]
show interface port-channel [#]
show pagp [#] neighbor
sho etherchannel brief
sho etherchannel detail
sho etherchannel summary

Cool class!

Little more spanning tree...

So, just a bit more I promise.
Unidirectional link detection
This is mostly for fiber optics, but is concerned with transmissions ONLY being able to be sent one way over a link (i.e. switch 1 can send to switch 2 over Po1, but switch 2 can no longer send anything over Po1 to switch 1)
To configure: (use ios help)
(config)udld enable
(interface)udld port [aggressive]
Aggressive mode will shut the port down if it has not detected a 8 UDLD hellos.

LoopGuard
This feature will turn an stp enabled port from blocking to loop-inconsistent state if packets (bpdu's) are not recieved. It stops switching loops because in this instance (such as with udld) the switch that is no longer recieving bpdu's would go from blocking to forwarding, causing it to send packets over a link that was not indeed dead (this usually occurs because bpdu's have stop being received on a port other than the blocking port; therefore causing the transition from blocking to fowarding).
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml
To configure:
(config)spanning-tree loopguard default
(interface)spanning-tree guard loop

BPDU skew detection
This is a DETECTION mechanism for BPDU's that are not being relayed as quickly as they should be (it will log syslog messages). BPDU's should be recieve approx. every 2 seconds by every participating switch. If enabled, this feature will notify the proper personal of the issue; it will NOT take any action
Config:
(config)set spantree bpdu-skewing enable

Rapid Spanning Tree Protocol 802.1w (STP 802.1d)
Uses alternate and backup ports to speed convergence times
States

1. discarding (instead of disabled, blocking, and listening)
2. learning
3. forwarding

In RSTP every switch sends out bpdu's every 2 seconds. After 3 missed bpdu's the switch will consider a link down. This drops convergence time from 50 to 6 seconds!

PVST is per-vlan spanning tree and is cisco proprietary. It takes a little extra cpu and memory to run, but is great in that it allows to to run a seperate instance of STP per vlan in you network!
(Also have RPVST; you guess the name!)

Honorable mentions (probably need to hit these again later)
CST (common spanning tree)
MST(multiple spanning tree)